Skip to content

fix: audit hash-chain GDPR, serialization, and alerting (#541-544)#738

Open
2witstudios wants to merge 4 commits intomasterfrom
ppg/audit-hardening
Open

fix: audit hash-chain GDPR, serialization, and alerting (#541-544)#738
2witstudios wants to merge 4 commits intomasterfrom
ppg/audit-hardening

Conversation

@2witstudios
Copy link
Owner

@2witstudios 2witstudios commented Feb 28, 2026

Summary

  • GDPR-safe hash chain ([Audit] Hash-chain GDPR fix #541): Hash computation excludes PII fields (userId, sessionId, ipAddress, userAgent, geoLocation) so the chain stays verifiable after right-to-erasure anonymization
  • Advisory lock serialization ([Audit] Hash-chain serialization #542): Replaced FOR UPDATE row locking with pg_advisory_xact_lock to prevent concurrent chain forks — works even on empty tables (genesis case)
  • Verification alerting ([Audit] Verification alerting #544): Added setChainAlertHandler callback and startPeriodicVerification cron scheduler that fires alerts on chain integrity failures

Test plan

  • Chain verifiable after PII anonymization (4 GDPR-specific tests)
  • Advisory lock acquired before hash read (3 serialization tests)
  • Alert fires on broken chain, not on valid chain (14 alerting tests)
  • All 70 audit tests pass across 5 test files
  • Manual: verify advisory lock behavior under concurrent load
  • Manual: confirm periodic verification fires at configured interval

🤖 Generated with Claude Code

2witstudios and others added 3 commits February 27, 2026 22:50
@2witstudios @claude
fix: exclude PII fields from audit hash chain for GDPR compliance (#541)
22d6efb 
Hash chain now only includes non-PII fields (eventType, serviceId, resourceType,
resourceId, details, riskScore, anomalyFlags, timestamp, previousHash) so the
chain remains verifiable after GDPR anonymization erases user data.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@2witstudios @claude
fix: use advisory locks to serialize audit hash chain writes (#542)
d679bb1 
Replace FOR UPDATE row locking with pg_advisory_xact_lock to prevent
concurrent chain forks. Advisory locks work even on an empty table
(genesis case) where no row exists to lock.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@2witstudios @claude
feat: add verification alerting for audit hash chain (#544)
d74f487 
Add alert handler callback and periodic cron verification scheduler.
Fires alerts when chain verification detects tampering or breaks.
Includes setChainAlertHandler, verifyAndAlert, startPeriodicVerification.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 28, 2026
edited
Loading

Warning

Rate limit exceeded

@2witstudios has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 28 minutes and 36 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between afb36e6 and 9e776ae.

📒 Files selected for processing (8)
  • packages/lib/src/audit/__tests__/mask-email.test.ts
  • packages/lib/src/audit/__tests__/security-audit-alerting.test.ts
  • packages/lib/src/audit/__tests__/security-audit-chain-verifier.test.ts
  • packages/lib/src/audit/__tests__/security-audit.test.ts
  • packages/lib/src/audit/index.ts
  • packages/lib/src/audit/security-audit-alerting.ts
  • packages/lib/src/audit/security-audit-chain-verifier.ts
  • packages/lib/src/audit/security-audit.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch ppg/audit-hardening

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Feb 28, 2026

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@2witstudios @claude
fix: resolve TypeScript error in audit test mock callback type
9e776ae 
Use explicit `any` for transaction callback parameter in mock to avoid
Drizzle ORM complex generic type mismatch in test mocks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@2witstudios